Many online commercial activities such as online banking and other financial transactions are vulnerable to “phishing” and other crimes such as Domain Name Service (DNS) poisoning and counterfeit or spoofed web addresses, by which a consumer is tricked into divulging to criminal entities personal information necessary to log onto the consumer's account. These crimes exploit a readily identifiable vulnerability in online security: the consumer cannot verify with whom they are communicating.
One solution is to provide users of Web browsers direct control over the security of messages sent over the Internet by enabling the user to directly specify the sole end-recipient capable of reading the message. This control can be provided through a software module running on the consumer's PC that ensures that messages sent to the user's intended recipient is encrypted with the public-key associated with that recipient. The verification of these public-keys is performed through a separate connection with a trusted Certification Authority.
While assuring that no other entity can read the messages sent by the user, such a system is vulnerable to a form of a Man-In-The-Middle (MITM) attack if being a MITM does not require actually reading the message sent by the user. Such could be the case if the MITM acts as a passive conduit for the user's messages but, because the recipient's (e.g. a bank's) replies are not likewise secured, the MITM can obtain access to the user's account during the duration of the user's session. The secure encryption of the user's outgoing message prevents the MITM from garnering independent access to the user's account without the user's notice, but such intersession vulnerability is significant, however narrow.